Guides

Google, FBI warn of IT imposters targeting law firms in person

The FBI says fake IT support is now showing up in person, with imposters trying to walk stolen access past remote-work controls.

Marcus Chen··2 min read
Published
Listen to this article0:00 min
Google, FBI warn of IT imposters targeting law firms in person
Source: techcrunch.com

The latest twist in workplace fraud is not another phishing email. It is a person who shows up claiming to be IT, asks for a laptop, and tries to turn a routine support request into a data theft.

The FBI warned on May 26 that Silent Ransom Group, also tracked as Luna Moth, Chatty Spider and UNC3753, has been using phone calls and phishing emails to pose as IT support and push employees into granting remote desktop access. If that fails, the group may send someone in person to gain physical access to a computer, claiming they need to image the device or make a backup to fix a phishing problem. The bureau said the group has been active since at least 2022 and has consistently targeted U.S.-based law firms since spring 2023, while also hitting organizations in insurance, finance and healthcare.

AI-generated illustration
AI-generated illustration

Google Mandiant said it identified a related financially motivated campaign from January through May 2026 that targeted dozens of organizations across professional, legal and financial services in the United States. The attack pattern is built for speed, not spectacle: the FBI said SRG usually seeks rapid access and data exfiltration instead of traditional ransomware encryption, then threatens to publish or sell stolen data. To move files out, investigators said the group has used WinSCP, a hidden or renamed version of Rclone, Google Drive, Microsoft OneDrive, external hard drives and USB drives.

For monday.com employees, the warning lands in the exact places remote companies often trust most: onboarding, the help desk and the front desk. The practical fix is not more paranoia, but more friction. Unscheduled in-person IT support should be treated as suspicious. Requests to run a remote-control tool or plug in a storage device should move through formal internal channels before anyone touches corporate hardware. That matters in a company with distributed teams and office-facing roles, where one convincing impersonator can move faster than a security policy written for email alone.

monday.com says its security program is based on ISO 27001 and is reviewed annually, and that employees must complete formal information-security and privacy training. Its white paper says that training happens at onboarding and at least once a year after that. The company also says it manages data for more than 250,000 customers worldwide and hosts enterprise data on AWS infrastructure in the United States, the European Union and Australia, with Frankfurt, Germany available for EU hosting. For a platform that runs projects, CRM, IT and development workflows, the risk is not just one compromised laptop. It is the trust that makes everyday work move.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Monday.com News